USDA security improvements still not effective: IG
- By Mary Mosquera
- Oct 20, 2006
The Agriculture Department continues to suffer from inadequate management and monitoring of IT security controls, both at the department-level and in its agencies.
Although USDA accelerated efforts to comply with the Federal Information Security Management Act during fiscal 2006, significant weaknesses abound, said the USDA Office of Inspector General in its recent annual audit
of the CIO's FISMA report.
An effective IT security program needs time to mature, said USDA Inspector General Phyllis Fong.
'Due to the significance of these weaknesses, the department cannot be assured that its systems and data are adequately secured,' she said.
In the CIO report
on USDA compliance with FISMA, USDA made a number of improvements last year. Among them, USDA developed a scorecard to focus managers' attention and commitment to security and to increase their monitoring of IT security. USDA also began using the Automated Security Self-Evaluation and Remediation Tracking, or Assert, tool to support automated scoring efforts to secure systems.
But those and other improvements did not always perform as well as they should, the inspector general's report said.
USDA put in place a new system to track plan of actions and milestones.
The system, however, did not track all IT weaknesses, reported conflicting information and agencies did not ensure that they completed corrective actions before closing out the weakness.
The CIO's office is developing a process for initiating, reviewing and updating the department's policies to provide guidance for improving security compliance under the Office of Management and Budget, the National Institute of Standards and Technology and department regulations. It also is performing a gap analysis to prioritize required policy work and developing a program to review and update existing policies and a security review program to evaluate the accuracy of information provided by agencies to improve the effectiveness of their security programs.
'Until these controls are in place, operating and effectively established, IT management and security remain a material internal control weakness for the department,' Fong said.
Among the weaknesses, the CIO implemented an annual departmentwide IT system inventory requirement. But the auditors could not vouch for its accuracy or completeness because the CIO did not validate the information reported by the agencies.
The auditors could not determine an accurate number of systems that USDA adequately certified and accredited. The CIO reassessed some certification and accreditation documentation from the previous year because they were not satisfactory. Auditors found two of the three reviews that they assessed should not have received final accreditation because the documentation was related to legacy systems that were being replaced.
USDA also did not always track, report to proper authorities and close in a timely fashion security incidents. The department still needs to implement an incident tracking database, which it agreed to do three years ago.
The CIO's office said it is trying to secure USDA systems while making them available for everyday business. Improvements for this year include:
- Transferring functions to the security operations center, which will centrally manage and monitor the network;
- Providing a new cybersecurity customer service liaison program to handle inquiries and track and monitor progress toward resolving customer issues;
- Requiring USDA agencies to complete FISMA reports sooner to allow for independent verification and validation of results;
- And simplifying guidance.
Mary Mosquera is a reporter for Federal Computer Week.